MCSA Tutor'D

Sunday, 19 July 2015

1.a.com and 2.a.com are in same domain, where
1.a.com is the forest root domain controller and has two operation masters i.e.
1.Domain Naming Master2.Schema Master.

The domain naming master allows creation of
other domains within the same forest. The group of Enterprise Admin has the
permission.

The schema master declares the schema for all
the domain controllers in the forest.

The 2.a.com has ADDS database but not these
two roles.

By default global catalog is installed in root
domain controller and is optional in other domain controllers(Microsoft recommends to Have Global Catalog installed on all DCs.)

The global catalog is used to search between
other domain objects in a multi-domain forest. Since the AD database is same in
their domain so to search for objects/resources in other domain we need a
global catalog server. Hence it is best practice to have all the domain
controllers as global catalog server. GC stores only limited information like location, Username

If we do not have a global catalog server
then the domain master operations i.e. Infrasture
Master is used to fetch the resources in multi-domain.

It used SID of other ADDs which is obtained
partially from AD and partially from the RID
master.

The RID master gives the SIDs id unique
number to every object in an Active Directory Domain.

For e.g. ClientPC is a member of domain
“a.com” then if user1 is logged into it. The LSA (Local Security Authority)
will give a unique SID where First three blocks are used for resource type(S-15-21)
other three blocks are the AD database number and the final block if (500) is
the RID (Unique number given to object user1)

So all the objects should get unique RIDs but
incase we have multiple DCs in a domain then RID master assigns them a block. So that they never
overlaps.

There is another Operation master in Domain via
PDC emulator role this Domain
controller in a domain is always synchronized with the forest root domain
controllers PDC emulator for
time synchronization.

Every domain has its DC paired with the
forest root Dc’s PDC emulator.

In case a user’s password is changed by the
Administrator in a DC and the user is already logged in using the old password
then the DC contacts the DC with PDC emulator and terminated that user’s session.

Domain Servers are built to offer services
that provide everything live and synchronized and for this it is important to
have a seamless network between the devices.

Hence, we will see same offline
features if this network is not reliable.

·To join a Device/Computer into a domain then we can use offline
join using and command “ djoin ” which will create a file in DC and then should
be copied and executed in the other computer/service which is to be joined.

1)Used for centralized approach to provide various services like User authentication,Web services,Mail services,etc.

2)For centralized approach we use,Domain names to logically define the boundary of an organization. For eg:cms.com <-- Which is also known as FQDN(Fully Qualified Domain name).eg:server1.cms.com <--- This is my FQDN

where server1 is my Hostname and cms.com is my Domain name.

3)Domain names are the object reference which the client looksup for services.They cannot resolve this without the help of

DNS.The DNS has SRV records that enables different services to communicate via their port numbers. For eg:port number for ldap is 389,where ldap is lightweight directory services.And it also helps server and client to

resolve the domain name to their IP and viceversa.

(Note:Kerberos <--- Port Number is 88.It encrypt the username and password )

4)For example:-If a user tries to logon to a domain then firstly that computer has to be a part of that domain and should

be listed in the domain controllers active directory under"computers". Next it should be able to resolve the domain name hence always provide the domain controllers IP where DNS is enabled to

the clients network setings. Now that we have all the necessary pre-requisites we may logon as "cms\user1" where cms->domain name user1->user Now that the client has provided the computer into the domain.the domain KDC(key directory connection)service will

provide a TGT(Ticket granting Ticket) which is sort of a card used to verify access. Back to the user logon that is trying to logon with username "cms\user1" now this PC(i.ePC1) will use its TGT and Kerberos to authenticate the credentials and TGT will verify if this user has rights to

logon on this PC1.If it has then that TGT request is granted by the server to this client.

5)AD is the database containing all the objects like users,computers and other network resources.The information is present

in the default directory "C:\Windows\NTDS" . Here,NTDS.DIT is the file that contains the AD which further includes the Schema partition.The Schema partition defines

the attributes of the objects that AD stores. This Schema can only be selected in the root forest domain. Since the Schema Master Role is only present there. The root forest domain has the two groups that have those rights i.e. Enterprise Admin's and Schema Admin's. Enterprise Admin's group members have the right to edit the domain naming context.While the Schema Admin's can edit the

Schema.

6)All the domain controllers in a forest share the same schema.The AD database is replicated among all of them in a Domain